Add Trusted Server Support in iOS

Trusted server support strengthens the normal security provided by HTTPS, in particular making it difficult for a malicious server to carry out a man-in-the-middle attack. While HTTPS simply checks to see if a certificate in the certificate chain for the server exists in the trust store on the mobile device, trusted server support compares the public key for the Mobile Server with the same public key bundled into MicroStrategy Mobile on the mobile device.

Like any other application contacting a server, when a MicroStrategy Mobile application attempts to connect to a Mobile Server, it first performs the standard HTTPS certificate verification. If HTTPS verification is successful, MicroStrategy Mobile then checks to see whether it should verify that the Mobile Server is a trusted server. It does this by looking in Finalbundle.bundle to see if there are any certificates in a folder with the name of the Mobile Server. If it finds a certificate, it compares the hash of the public key in that certificate with the hash of the public key in the certificate on the Mobile Server. If the hashes match, connection is allowed.

The MicroStrategy Mobile implementation of trusted server support follows the IETF certificate pinning guidelines. In addition to minimizing the risk of a man-in-the-middle attack, trusted server support has the advantage that it will continue working even if the certificate for the Mobile Server changes—for example, if it expires. There is no need to recompile the MicroStrategy Mobile app since the public key itself has not changed, only the certificate. There is also support for multiple certificates for a single Mobile Server. This allows you to create a backup certificate for a Mobile Server, without deploying it, and bundle that certificate in MicroStrategy Mobile. If your existing certificate is compromised, the backup certificate can be deployed and your app can keep working.

To add trusted server support, or certificate pinning, to MicroStrategy Mobile, do the following: 

1. Open the MicroStrategyMobile project in Xcode.  

2. Expand Resources, then FinalBundle.bundle, then Contents, then Resources and create a PINS folder.  

3. Under the PINS folder, add a separate folder for each Mobile Server that you want the MicroStrategy Mobile application to trust. The name of the folder should be the fully-qualified name of the Mobile Server—for example, myMobileServer1.myDivision.myCompany.com.  

4. In each Mobile Server folder, add the .cer or .pem certificates that should be trusted when MicroStrategy Mobile tries to connect to that server.  

5. Save your changes.  

6. Compile the application and deploy it to users.

If the certificate authority (CA) is trusted by default on the iOS device with the MicroStrategy Mobile application, nothing else needs to be done. However, if the CA is not trusted by default—for example, if the certificates are self-signed—you need to use the iPhone Configuration Utility to install the CA on the device.